Benefits of layer 2 encryption - MENOG

licoricehealthAI and Robotics

Nov 14, 2013 (3 years and 11 months ago)

105 views





How To Secure My Data







What
to Protect???



DATA


Data At Rest




Data at Rest Examples


Lost


Infected Easily


Used as ‘Backup’


Lent to others


Data Corruptions
more common



Stolen


Left at airports, on
trains etc


Hard disk corruption
common


Connected to many
networks


&

Data in Motion





Laptops
and Memory sticks should never have a
unique copy of important information.


All confidential information should be encrypted.


Staff informed of good working practises.


Make Sure Laptops are ‘Patched






Encryption

is the conversion of data into a
form
called a
ciphertext
that cannot be easily understood by unauthorized
people.


Decryption

is the process of converting encrypted data back
into its original form, so it can be understood


In
reality, encryption can happen at different layers of
a
network
stack, the following are just a few examples:


End
-
to
-
end
encryption happens within applications.


SSL
encryption takes place at the transport layer.


IPSec

encryption takes place at the network layer.


Layer
2 encryption takes place at the data link layer.


At
first glance encryption seems an easy choice; after all why
expose
confidential information to prying eyes when you can
protect it by scrambling?


Some
of the traditional objections to encryption include loss of
performance
and the
complexity of managing encryption keys.




Today
however modern hardware and software systems have
whittled away these issues to the extent that it is now possible
to deploy hardware encryption to secure information at full line
rates up to 10Gbps and with simple fully automatic key
management.


Layer
2 encryption is often referred to as a “bump in the wire”
technology.
The phrase
conveys the simplicity, maintainability
and performance benefits of layer
2 solutions
that are
designed to be transparent to end users with little or
no
performance
impact on network throughput.



In
a recent study
by the Rochester Institute of Technology
(RIT),
it was
determined
that Layer
2
encryption technologies
provide superior throughput and
far lower
latency than
IPSec

VPNs, which
operate
at Layer
3.


The
RIT
study concludes:


Enterprises that
need to
secure a
point
-
to
-
point link
are likely
to achieve better encryption
performance by shifting from
traditional encryption with
IPSec

at
Layer 3
to the overhead
-
free encryption of frame payloads at Layer 2.”




Only
Layer 2 encryption solution worldwide with 100% data
throughput rates of up to 10 gigabits per second without
overhead


scalable encryption solutions and optional upgrades


Easy to integrate into existing point
-
to
-
point, point
-
to
-
multipoint and multipoint
-
to
-
multipoint networks


Encrypts unicast, multicast and broadcast, supports class
of service, VLAN
-
ID and tagging




The outstanding performance with 100% encryption
throughput of up to 10 gigabits per second and the
extremely low latency in the microsecond range allow
the equipment to be used even in time
-
critical
applications and connections subject to heavy loads.
The Layer 2 approach guarantees a simple
configuration, bump
-
in
-
the
-
wire integration and minimal
maintenance.



Lowest
impact on network performance


Reduced complexity (bump in the wire)


Transparent to media (voice, data, video
etc.)


Little or no configuration


Operates at wire speed up to 10Gbps.


Introduces no overhead. In contrast, Layer 3
IPSec

typically
adds significant overhead (over 40% of available bandwidth
for smaller packets)


Implementation of Layer 2 encryption devices is simple



Outsourcing
of routing tables is also seen as a weakness of
Layer 3
VPN services
because many corporations don't want to
relinquish control or
even share
their routing schemes with
anyone, not even their service provider.
They prefer
Layer 2
network services, such as Ethernet, Frame Relay or ATM as
these are
simpler in architecture and allow customers to retain
control of their
own routing
tables.


Let’s

start

with

a

packet

the

way

it

is

transported

on

layer

3
:

It

consists

of

an

IP

header

and

the

payload
.

IPSec

ESP

transport

mode

adds

an

ESP

Header,

an

ESP

trailer

and

ESP


authentication
.

In

transport

mode

only

the

payload

is

encrypted

while

the

IP

header

remains

unprotected
.

The

established

way

to

encrypt

site
-
to
-
site

traffic

with

IPSec

is

the

tunnel

mode
.

A

new

IP

Header

is

added,

so

that

the

entire

IP

packet

(header

and

payload)

can

be

encrypted

without

sacrificing

network

compatibility
.


For
the transport over an Ethernet network the encrypted IP
packet
gets
a
MAC header
and a CRC checksum
.





For
Ethernet the entire IP packet encrypted with
IPSec

ESP Tunnel Mode is pure

payload. Accordingly a transport mode encryption at layer 2 can provide the same

protection as
IPSec

ESP Tunnel Mode without generating packet overhead. The
encryption can
encrypt the entire IP packet without introducing packet overhead.
IPSec

ESP Mode features Encapsulating Security Payload, which provides confidentiality,

data origin authentication, connectionless integrity and an anti
-
replay mechanism.

To maintain comparable layer
-
specific security, equivalent features need to be

implemented at layer 2. Some of the overhead that would have been generated at

layer 3 thus moves down to layer 2. Properly implemented it will cause less overhead

and be much
more
flexible in terms of network functionality than
IPSec

at layer 3.

At layer 3 it also matters if you encrypt IPv4 or IPv6. Both are
using
IPSec

as
encryption standard
, but the differences
between IPv4 and IPv6 make it a completely
different story.

At
layer 2 though, it does not make any difference if the

payload
to be
encrypted consists
of IPv4 or IPv6.

It is possible to encrypt Ethernet using
IPSec
. In order to do so
the Ethernet
frame has
to be fork lifted up to layer 3 to
become IP payload. As soon as the
Ethernet frame
is IP
payload it can be encrypted at layer 3 with
IPSec
. As IP is
transported over
Ethernet the result is Ethernet transported
over IP over Ethernet. It is as
inefficient as
it sounds. If e.g.
L2TPv3 is used to transport Ethernet over IP the overhead

generated by encapsulation is 50 bytes.





IPSec

encryption will add another 38
-
53 bytes. The security
overhead and the
security are
limited as only transport mode
can be used
in
this scenario
.



Let’s
start again with an IP packet the way it is transported on
layer 3: It consists of
an IP
-
header
and the payload. For the
transport on layer 2 on Ethernet the packet is
framed with
a
MAC header and a CRC checksum. For Ethernet it doesn’t
make a difference
if the
IP packet is encrypted or not, it is just
payload.


A
transport mode encryption at layer 2 will encrypt the entire
IP packet including the
IP header
without requiring any
tunneling. Tunneling alone generates 20
-
40 bytes of avoidable

overhead
and adds noticeable latency.


To
get a better understanding how layer 2
encryptors

encrypt
at layer 2 it is best to
look at
the different encryption modes:

A
-

Bulk

Mode










Bulk Mode (also known under the terms Frame Encryption and Link
Encryption) encrypts
the entire Ethernet frame between the Preamble and the
Interframe

Gap
. To reach the
same coverage when encrypting the frame with a layer
3
encryptor
, the entire Ethernet
frame would have to be lifted up to layer 3,
encapsulated and
then encrypted with
IPSec

ESP Tunnel Mode. This would
cause massive
and unnecessary overhead. The Bulk Mode
on layer 2 limits the
available usage
scenario to Hop
-
to
-
hop, as all relevant addressing
info is encrypted



B
-

Transport
Mode

The most widely used encryption mode is the transport mode.
The reason
behind this
is the full network compatibility
ensured by limiting the encryption
to
the payload.


C
-

Tunnel
Mode

Tunnel mode is also an option on layer 2, but only used if the
entire
original frame
must be encrypted and the encryption
needs to support a
multi
-
hopscenario
. Tunneling
adds
overhead
and processing time
.



What are Weaknesses ??



How To Solve??


There
are a few attacks, Below are some of them:


Replay Attacks


Rewrite Attacks


Convert
Signalling

Attacks




If
the message is an encrypted, why should we care about
replay?


The reason is that:

o
If an outsider captures the encrypted message and re
-
send it,
he/she might attack the system

S
e
n
d

a

m
e
s
s
a
g
e

o
f
"
p
a
y

C
h
a
n

T
a
i

M
a
n

1
0
0
0
"
$
%
&
*
(
P
a
y

C
h
a
n

T
a
i

M
a
n

1
0
0
0
P
a
y

C
h
a
n

T
a
i

M
a
n

1
0
0
0
P
a
y

C
h
a
n

T
a
i

M
a
n

1
0
0
0
$
%
&
*
(
$
%
&
*
(
A
l
i
c
e
P
l
a
y
-
i
t
-
a
g
a
n
S
a
m
B
o
b

a
n
d

h
i
s

c
o
l
l
e
a
g
u
e
s
B
o
g
u
s
C
o
p
i
e
s
G
e
n
u
i
n
e


Alice
sends a message of “pay Chan Tai Man” to Bob. She
sends one genuine (true) message.


Play
-
it
-
again
Sam

captures the encrypted message and re
-
sends twice to Bob.


Bob and his colleagues will then pay Chan Tai Man three
times.


Of course, Sam will have certain benefits of doing this.



Each plaintext message must have an extra information
such as message number.


If the receiver receives a duplicated message, it is
discarded
.




This will solve it in TCP/IP (layers 3 & 4). It has this feature to
solve this problem

2

data2

2
2

data2



If
an hacker knows the contents, he/she can modify the
encrypted message.


Say for example, the encrypted message of pay 1000 is
89^&
o
iu
, he/she can modify
89^&
a
iu

by changing o to a.
The resulting plaintext message is 9000.
(This assumes
that 89^&
aiu

will produce 9000.)


There are many methods. Below are some of them

1.
Avoid products using other modes. Always use block
ciphers
techniques
. (crude rewrite attacks are still
possible with block mode.); or

2.
Insert a random number into each packet, include it in
the packet checksum and encrypt the resulting packet; or

3.
Use
digital signature to authenticate the source of data.
(the message is signed)



A
digital signature

is basically a way to ensure that an
electronic document (e
-
mail, spreadsheet, text file, etc.) is
authentic
. Authentic means that you know who created the
document and you know that it has not been altered in any
way since that person created it.




Digital
signatures rely on certain types
of
encryption
to
ensure authentication. Encryption is the process of taking
all the data that one computer is sending to another and
encoding it into a form that only the other computer will be
able to decode. Authentication is the process of verifying
that information is coming from a trusted source. These two
processes work hand in hand for digital signatures.




a message may be encrypted, but not digitally signed (only people with
the key can read it,

but the reader cannot be certain who actually wrote it)



a message may be digitally signed, but not encrypted (everyone can tell
who wrote it, and

everyone can read it)



a message may be encrypted first, then digitally signed (only someone
with the key can read

it, but anyone can tell who wrote it)



a message may be digitally signed first, then encrypted (only someone
with the key can read

it, and only that same reader can be sure who sent the document)




Thank
You



Mohammad Jarrar